Have you ever asked yourself the question: “So what if my VPN keeps logs?”

Don’t worry. It’s a good question to ask. It means you’re actually curious about the nuances of data collection, management and how they affect you. In order to answer this question, we first have to delve into the inner workings of a VPN.

A VPN (Virtual Private Network) is a type of software that extends a private network across a public network. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. In short, any applications running across a VPN can benefit from the functionality, security, and management of the private network.

How exactly does a VPN secure private data?

A VPN secures the data flowing from the user by channeling it through secure encrypted tunnels before it reaches the desired destination. It also masks your true IP address, thereby, protecting you from any online tracking. These functions are important because your data is usually left open and free for almost anyone to read. It’s just how online searches work.

Let me explain:

Every time you search for something on the web, the words you typed into your browser become part of a search query. The search query is meant to travel to a DNS (Domain Name System) server. This DNS server then searches through all the IP addresses in its directory until it finds the proper one. If it can’t find the proper IP address, it submits your search query to another DNS server and so on until a match is found.

However:

Before your search query even reaches the first DNS server, it still has to go through your ISP (Internet Service Provider). Only after going through this initial step does your search query actually travel to a DNS server.

This is a problem because your search query consists of data packets that contain plain text. This plain text can be analyzed and read by your ISP and any other person or entity that gets a hold of your connection. Once your search query is read, they can then be traced back to you via your IP address, which is usually linked to your personal information (name, age, location). Therefore,your ISP can track the websites you visitand make a record of it.

This becomes doubly problematic if a hacker is the one tracking you. Once they determine your personal identity, they can then use your data to commit one or more cyber crimes such as the following:

Phishing– This cyber attack relies on social engineering and psychological tactics to trick targets into clicking on a malicious link. The malicious link often contains malware or can be used as a platform for many other types of cyber attack. Hackers can use your identity and information to trick your contacts into clicking one of these malicious links.

Identity theft– You’ve probably heard about identity theft since it’s been around even before the internet was invented. It only gained a stronger foothold when the internet became widely available.

Malware campaigns– Hackers who gain access to your information and contacts can also use them to spread malware. The malware can do a lot of damage ranging from damaging computers and files, holding data ransom, and even turning computers and other devices into “bots”.

Blackmail– Hackers can use the information they gain to extort money from you or your contacts with the threat of publishing stolen information if their demands aren’t met.

That said:

With a VPN active, not only will the contents of your search queries be encrypted, but they won’t be traceable back to you since your true IP address is hidden. This is why VPNs are one of the most popular online security tools.

“So, does this mean that my data is 100% safe with any VPN?”

Not exactly.

What information a VPN collects

Just because a VPN promises to keep your data safe from anyone sniffing for it doesn’t mean that you should instantly trust that VPN then and there. You first have to check exactly what information they receive and collect. This information usually comes in 3 forms:

User Information

By signing up for a VPN, you’re already entrusting your user information to the company that runs it. Usually, signing up requires your first name, last name, home address, country of residence, your email address, payment details, your purchase history, and remaining subscription time.

Connection Logs

This information consists of incoming (ISP-assigned) and outgoing (VPN-assigned) IP addresses, timestamps, and total data transferred during each user session. The company uses this information to optimize the service and to provide better support to the users.

Usage Logs

Since your channeling the data through your VPN before it goes through your ISP, your VPN will, therefore, gain access to information on your search history, name and size of your downloads, as well as software and protocols used.

Now:

I don’t think I need to explain why a VPN company needs to collect and keep User information. Such information is simply needed to create a VPN account.

Most VPNs will, however, keep connection logs since this information is required to improve their service. What you should be concerned of are VPNs that keep usage logs. If you find a VPN that promises to keep “no logs”, they usually mean they don’t keep usage logs. None of thebest VPNskeep usage logs.

Why you should care about usage logs

The problem with usage logs can be summed up in 3 words:

“14-eyes jurisdictions”

The 14-eyes jurisdictions are the countries that took part or eventually joined theUKUSA Agreement. These countries agree to share signals intelligence between them. It’s because of this agreement that member countries can mandate data companies within their jurisdictions to record and surrender user data.

Data companies include ISPs and, of course, VPNs. While it’s damaging to a VPN’s reputation when it surrenders any user data to the authorities, they won’t have much of a choice but to comply or risk heftier penalties. The employees of these companies can’t be expected to willingly go to jail for their users’ data — especially if this data is connected to a crime.

This is actually what happened to theLulzSec Fiasco(HideMyAss VPN) and, most recently, to Newton manRyan Lin(Pure VPN). These two VPN companies claimed to not keep logs but they were still able to aid the authorities in finding the users connected to the respective crimes.

While I don’t condone the use of a VPN to hide criminal activities and I do believe that the criminals in both cases deserved the justice they got, there are 2 lessons we can glean from these cases: Users should be careful which VPN they trust; and Users shouldn’t go committing crimes in the first place (although this is beside the point).

How to know what information a VPN keeps

There are many ways to find what information a VPN keeps. Whenever I review a VPN, I usually check 4 sources:

The company’s Privacy Policy and Terms of Usage: It’s usually a slog to read through the legal jargon used in these pages but it’s worth it if it means you’re not getting fooled by sweet advertising ploys. Companies will usually list down the information they do and do not keep.

The VPN’s FAQ page: If you have a hard time understanding the legal jargon used in a company’s privacy policy or terms of usage, you can check their FAQ page instead. You’ll usually find the simple explanation for what information they keep.

Online forums and the News: If some users have had problems with their information being shared or if another info-sharing fiasco happens, you’ll be sure to find details on various online forums and news bulletins.

Conclusion

VPNs are meant to keep their users’ online data safe and private. However, not all VPNs can be trusted. It’s your responsibility to check what information they keep and whether or not they’re in a safe jurisdiction.

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in Milan, Italy.